 From theCUBE Studios in Palo Alto in Boston, connecting with thought leaders all around the world, this is a CUBE Conversation. Hi everybody, welcome to this special CUBE Conversation. You know, with COVID-19 hitting, organizations really had to focus on business resiliency. And we've got two great guests here to talk about that topic. Bob Bender is the Chief Technology Officer at Founders Federal Credit Union. And he's joined by Jim Shook, who's the Director of Cybersecurity and Compliance Practice at Dell Technologies. Gentlemen, thanks for coming on theCUBE. Great to see you. Thanks, Dave. Great to see you, thank you. So Bob, let's start with you. Give us a little bit of background on Founders and your role. Founders Federal Credit Union is a financial institution that has about 225,000 members, serving them in 30 different locations located in the Carolinas. I serve as Chief Technology Officer, bringing in the latest technology and cyber resilient direction for the company. Great, and Jim, talk about your role. Is this a new role that was precipitated by COVID or is this something that Dell has had for a while? Certainly relevant. Yeah, it's actually been around for a while, Dave. The organization invested in this space, going back about five years I founded the Cybersecurity and Compliance Practice. So really my role is most of the time in the field with our customers, helping them to understand and solve their issues around the cyber resilience and cyber recovery field that we're talking about. But also to do that properly, spend a lot of time with organizations that are interested in that space. So it could be with an advisory partner, with the FBI, it might be a regulator, particularly a group like Sheltered Harbor that we've worked with frequently. So it's just really, as you point out, taken off first with ransomware a couple years ago and then with the recent challenges from work from home and COVID. So we're really helping out a lot of our customers right now. Bob, I've talked privately to a number of CIOs and CISOs and many have said to me that when COVID hit that their business continuance was really much to be archist. Now you guys actually started your journey way back in 2017. And so I wonder if you could take us back a few years and what were the trends that you were seeing that precipitated you to go on this journey? Well, I think we actually saw the malware, the horizon there. And I'll take you back a little further because I just love that story is, when we looked at the relationship of Dell EMC, we talked to the 1% of the 1% and who is protecting their environment, their data capital, the new critical asset in our environment. And Dell EMC was the top of the line every time. When we looked at the environment and what it required, what our assets under protection, again, we turned to Dell EMC and said, where do we need to go here? So you look at this Mecklenburg County, you look at the city of Atlanta, you look at Boeing and I hate to use the examples, but very large companies, some really experienced companies were susceptible to this malware attacks that we just knew ourself was going to change us. So the horizon was moving fast and we had to as well. Well, you're in a highly regulated industry as well. How did that factor into the move? Well, you're exactly right. We had on our budget, our capital budget horizon, to do an air gap solution and we were looking at that. So the regulatory requirements were requiring that, the auditors were in every day talking about that and we just kept framing that and what we were going to do in that environment. So, we wanted to make sure as we did this purpose built data bunker that we looked at everything, talked to the experts whether that was federal state regulation, you mentioned Sheltered Harbor, there's GDPR, all these things are changing. How are we going to be able to sustain a forward look as we stand this environment up? And you would think, and we also stood up a cybersecurity operations center. So we felt very confident in our run books and our incident response that you would think that we would be ready to execute but I'll share with you that we reached out every which way and a friend called me and was actually in a live ransomware band and asked if I wanted to come on to their site to help them through that incident because we had some expertise on our staff that they did not possess at that time. So going into that environment, spending 30 hours of the last 72 hours of an attack, we came back changed. We came back changed and went to our board and our executive said, we thought we knew what we were doing but when you see the need to change from one to 10 servers recovery to 372 hours, we just realized that we had to change our plan and we turned to the investment we have already made and what we have looked at for some time and said, Dell EMC, we're ready to look at that power protect cyber recovery solution. How can you stand this up very quickly? So Jim, I mean, Bob was saying that you looked at the 1% of the 1%. So these guys are early adopters but anything you can add to that discussion in terms of what you saw precipitate sort of the activity, let's go pre COVID certainly ransomware was part of that. Was that the big catalyst that you saw? It really was. So when we started to practice, it was kind of following up on the Sony pictures attack which hit Sony and that, but it was unique in that it was trying to destroy an organization as opposed to just steal their data. So we had financial industries really leading the way the regulators and the financial industry saying, gosh, these attacks could happen here and they would be devastating. So they kind of led the way and as our practice continued 2016 kind of became the year of ransomware and became more prevalent with the attackers getting more sophisticated and being able to monetize their efforts more completely with things like cryptocurrencies. And so as we come around and start talking to Bob, he still was well ahead of the game. People were talking about these issues starting to grow concerned but didn't really understand what to do. And Dave, I know we'll get to this a little bit later but even today, there's quite a bit of disconnect many times between the business understanding the risks of the business and then the technology which really is the business now but making those pieces fit together and understanding where you need to improve to secure against these risks is a difficult process. Well, and I think I'd love to come back to Bob and truly try to understand sort of how you pitch this to the board, if you will, how you made the business case, to Jim's point, the adversaries are highly capable. It's a lucrative business. I always talk to my kids about ROI, numerator and denominator. If you can raise the denominator, that's going to lower the value and that's kind of the business that you're in is making it less attractive for the bad guys but how did you present this to the board? Was it a board level discussion? It was, exactly. We brought Dell EMC, PowerProtect, Cyber Recovery solution to them and said, not only you're experiencing and seeing in the news daily these attacks in our regions but we have actually gone out into an environment and watched that attack play out. Not only that is when we stepped away and we ran through some tabletops with them and we stepped away and we said, are you okay? Do you know how it got in? Are you prepared to protect now and detect that again? Within 30 days, they were hit again by the same ransomware attacks and hackers. So I hate to say this but I probably fast forwarded on the business case and in the environment, the horizon around me, players, they kind of made my case for me. So I really appreciated that top-down approach. The board invested, the executive invested, they understood what was at risk. They understood that you don't have weeks to recover in the financial institution. You're dealing with thousands, hundreds of thousands of transactions per second. So it made my case. We had studied, we have talked to the experts. We knew what we wanted. We went to Dell EMC and said, I have six months and here's my spend. And that's from equipment hitting our colos and our data centers, standing up, standing at the runbooks and it's fully executed. And I wanted an environment that was not only holistic. We built it out to cover all of our data and that I could stand up the data center within that environment. I didn't need another backup solution. I needed a cyber recovery environment, a lifestyle change, if you'd say. It's got to be different than your BCP DR while it inherits some of those relationships. We fund it with employees separately. We treated the incident response separately and it is really benefited. I think we've really grown and we continue to stress that to educate ourselves not only at the board level, but by the bottom-up approach as well with the employees because they're part of that human firewall as well. Well, I mean, I think you've seen this where a lot of organizations, they do a checkbox on backup or as I was saying before DR, but then in this world of digital, when a problem hits, it's like, uh-oh, we're not ready. So I wonder, Jim, if we can get into this solution that Bob has been talking about, the Dell EMC PowerProtect Cyber Recovery Solution there's a mouthful there and you got the power branding going on. So what is that all about? Talk to us about the tech that's behind this. Yeah, it's something that we've developed over time and really kind of added to in our capabilities. So at its core, PowerProtect Cyber Recovery is going to protect your most critical data and applications so that if there is a cyber attack, a ransomware or destructive attack, they're safe from that attack and you can take that data and recover the most important components of the business. And to do that, we do a number of things, Dave. The solution itself takes care of all these things, but number one is we isolate the data so that you can't get there from here. If you're a bad actor, even an insider, you can't get to the data because of how we've architected it. And so we'll use that to update the critical applications and data, then we'll lock that data down. People will say use terms like immutability or retention lock. So we'll lock it down in that isolated environment and then we'll analyze it. So it's one thing to be able to protect the data with the solution. It's another to be able to say that what I have here in my data vault in my air gap isolated environment is clean. It's good data and if there was an attack, I could use that to recover. And then of course over time, we've built out all the capabilities. We've made it easier to deploy, easier to manage. We have very sophisticated services for organizations that need them. And then we can do a much lighter touch for organizations that have a lot of their built-in capabilities. So at its core, it's a recover capability so that if there was an attack that was unfortunately successful, you don't lose your business. You're not at the mercy of the criminals to pay the ransom. You have this data and you can recover. All right, so Bob, talk to us about sort of your objectives going into this, you know, it's more than a project. I mean, it really is a transformation of your resiliency infrastructure, I'll call it. But what were your objectives going in? I mean, a lot of companies are reacting, you know, and it's like, you don't have time to really think. But so what are the objectives? How long did it take to paint a picture of the project and what it looked like, you know, some of the high-level milestones that you were able to achieve? Well, I think several times Dell EMC was able to talk us off the edge, you know, where it really got complicated. You know, the foundation services is just one of your more difficult conversations. One of the top three, definitely, you know, patch management notification and how are you going to rehydrate that data, keeping that window very small to reduce that risk almost completely as you move? I think other areas to apply is that we really wanted to understand our data. And I think we're on a road to achieving that. It was important that if we were going to put it into the vault, it had a purpose. And if we weren't going to put it in a vault, let's see why that would, why would we choose to do that? Why would we have this data? Why would we have this laying around? Because that's a story of our members, you know, 225 stories of their ability to move into financial security. That story is now ours to protect. Not only do we want to serve you in your, in the services, in the industry and make sure you achieve what you're trying to, but now we have that story about you that we have to protect just as passionately. And we had that just, I think that was two of the biggest things. I think the third is that we wanted to make sure we could be successful moving forward. And I'll share with you that in the history of the credit, you know, we achieved one of the biggest projects here in the last two years, that umbrella of the cyber recovery solution protection was immediate. We plugged in a significant project of our data capital and it's automatically covered. So I take that out of the vendor responsibility, which is very difficult to validate, to hold accountable sometimes. And it comes back under our control into kind of this purpose-built data security and cyber resilient, you know, business strategy. That's a business strategy for us is to maintain that presence. So everything new, we feel that we're sized, that there's not going to be a rip and replace a huge architect will change because we did have this as an objective at the very beginning. Jim, when you go into a project like this, what do you tell customers in terms of things that they really should be focused on to have a successful outcome? Yeah, I'm going to say first aid, not everybody has a Bob Bender. So we have a lot of these conversations where we have to really kind of start from the beginning and work through it with our customers. If you approach this the right way, it's really about the business. So what are the key processes for your business can be different from a bank than from a hospital than from a school building? So what are the key things that you do? And then what's the tech that supports that and underlies those processes? That's what we want to get into the vault. So we'll have those conversations early on. I think we have to help a lot of organizations through the risks too. So understand the risk landscape, why doing one or two little things aren't really going to protect you from the full spectrum of attackers. And then the third piece really is, okay, where do we start? How do we get moving on this process? How do we get victory so that the board can understand and the business can understand and we can continue to progress along the way. So it's always a bit of a journey, but getting that first step and getting some understanding there on the threat landscape along with why we're doing this is very important. So Bob, what about any speed bumps that you encountered? What were some of those as, oh, no projects ever perfect. What'd you run into? How'd you deal with it? Well, I would say the foundation services were a major part of our time. So it really helped for Dell EMC to come and explain to us and look at that perimeter and how our data is brought into that and size that for us and make sure it's sustainable. So that is definitely could be a speed bump that we had to overcome. But today, because of those lifts, those efforts invested, the runbooks, the increase in new products, new data as our business organically grows is a non-event. It's very plug and play and that's what we wanted from the start. So again, you go back to that conversation of 1% or the 1% at saying who protects you? We followed that, we stayed with the partner, we trusted the horizon holistically has come back and paid for itself again and again. So, speed bumps, we just start, we're just enjoying that we were early adapters and we knew that I don't wanna throw out anybody out there but you look about two weeks ago there was a major announcement about an attack that was successful and they got them with ransomware and the company paid the ransom but it wasn't for the ransomware, it was for the data they stole so that they would delete it. So that's again why we wanted this environment is we needed time to react in the case that these malware's are growing much faster than we're capable of understanding how they're attacking. So now it's one, two punch, where's it gonna be, where's it gonna end? Well, we don't have to, we're not gonna likely be patient zero but we're also not gonna have to be up at night worrying that there's a new strain out there. We have a little time now that we have this secure environment that we know has that air gap solution that was built with the regulatory consideration, with the legal considerations, with the data capital, with the review of malware and such, you can go back in time and say, okay, scan this, see if I have a problem. So again, the partnership is, while we focus on our business, they're focusing on the strategy for the future and that's what we need. We can't be in both places at once. How long did the project take? Kind of from the point at which you agreed, signed the contract to where you felt like you were getting value out of the solution? Six months. And we were adamant. I mean, I put it off for a year and a half. That's two budget cycles basically is what it fell. And then I had to come back and ask for that money back because we felt so passionate that our data, our critical data didn't need to be at that risk any longer. So it was a very tight timeline. And again, product done on-prem within six months. And there was a lot of things going on there. So I just wasn't idle during that time. I was having a conversation with Dell EMC about our relationship in our contracts. Let's build that cyber resilience into the contract. Let's now we've got this, you know, power protect cyber recovery environment. Let's build it here where you also agree to bring on extra hardware or product if I need that. Let's talk about me being on a technology advisory panel so I can tell you where the regulation, the rising of the regulations are going so you can start to build that in. Let's talk about the executive board reporting of your products and how that can enable us. Because, you know, we're not just talking about cyber and protecting your data. We're talking about back then 60% of your, keep the lights on, IT person was spent with auditors talking about how we were failing. You know, this product helped us get ahead of that to now where we're data analytic or just analysts that can come back to the business table and say, we can stand that up very quickly, not only because of the hardware and the platform solution we have, but it is now covered with the cyber resilience of the cyber security recovery platform. So, you know, I want to ask you about analytics. Do you feel as though you've been able to go from what is generally viewed as a reactive mode into something that is more anticipatory or proactive using analytics? Oh, I definitely do. We pull analytics daily and sometimes hourly to make sure we're achieving our KPIs and looking at the KRIs, we do risk assessments from the industry to make sure if our controls layer of defenses are there and that they will still work what we stood up three years ago. So I definitely think we've gone from an ad hoc, rip and replace approach to transformation into a more of a threat hunting type of approach. So our cybersecurity operation center for us is very, very advanced and is always looking for opportunities not only to improve, to do self assessments, but we're very active. We're monetizing that with a QSO arm of the credit union to go out and help others where we're successful. So others that may not have that staff and it's very rewarding for us. And I hate to say it sometimes is that their expense of being in involved in the event of a ransomware attack or malware event, we learn so much the gaps we have but we could take this back, create run books and make the industry stronger and against these types of attacks. Well, so Jim, I mean, how you said earlier not every company has a Bob Bender. How common is it that you're able to see customers go from that reactive mode into one that is proactive? Is that rare? Is it increasingly common? I mean, it can't be a hundred percent but what are you seeing as trends? It's more common now. I mean, you think again back to Bob that's three plus years ago and he's been a tireless supporter and tireless worker in his industry in his community in the cyber area. And efforts like those of Bob's have helped so many other organizations I think understand the risks and take further action. I think too, Bob talks about some of the challenges with getting started in that three year timeframe our protect cyber recovery has become more productized our practice is more mature. We have more people, more help. We're still doing things out there that nobody else is touching. And so we've made it easier for organizations that have an interest in this area to deploy and deploy quickly and to get quick value from their projects. So I think between that some kind of the ease of use and then also there's more understanding I think of what the bad actors can do and those threats. This isn't about somebody maybe having an outage for a couple of hours. This is about the very existence of a business being threatened that if you're attacked you might not come back from it and there've been some significant example of that. You might lose hundreds of millions of dollars. So as that awareness has grown more and more people have kind of come on board and been able to leverage learnings from people like Bob who started much earlier. Well, I can see the CFO saying, okay, I get it. I have no choice where we're going to be attacked. We know that I got to buy the insurance, you got me. But I can see the CFO saying, is there any way we can get like additional value out of this? Can we use it to improve our processes and cut our costs? Or can we monetize this in some way? What's the reality there? Are you able to find other sources of value beyond just an insurance policy? Definitely Dave, you're exactly right. We're able to go out there and take these run books and really start to educate what cyber resilience means and what air gap means, what regulatory, what are you required to do and then what is your responsibility to do? And when you take these exercises that are offered and you go through them and then you change that perspective and go through a live event with other folks and see that, you know, after 60 hours of folks being up straight, it really changes your view to understand this is, we're never gonna, there's no finish line here. We're always gonna be trying to improve the product and why not pick somebody that you're comfortable with and you trust. And I think that's the biggest win we have from this is that was a Dell EMC partnership with us. It was very comfortable fit. We moved from, you know, back up in recovery into cyber resilience and cybersecurity as a business strategy with that partner, with our partner, Dell, and it hasn't failed us. And so it's very comforting. We're talking about quality of life for the employee. You know, you hear that keep the lights on and they've really turned into professionals to really understand what security means differently today and what that quality of data is. You know, reports aren't just reports. They're data capital, they're data, the currency, new currency today of the value we bring. So how are we gonna use that? How are we gonna monetize that? It's changing it. And then I hate to jump ahead, but we had our perimeters and 1% of our workforce remote and all of a sudden COVID-19 takes on a different challenge when we thought we were doing really good. Next, we had to move 50% of our employees out in five days. And because of that Dell EMC holistic approach, we were protected every step of the way. We didn't lose any time saying we bought the wrong control, the wrong hardware, the wrong software. It was a very comfortable approach. The runbooks held us. Our security posture stayed solid. It was again, it's been very rewarding. Well, that was my next question actually is because you started the journey. Sorry. No, no, it's okay. Because you started the journey early, were you able to respond to COVID in a more fast-sale manner? It sounds like you just went right in, but there's nuance there, right? Because you got now 50% or more of the workforce working at home. You got endpoint security to worry about. You got identity access management. And it sounds like you were kind of no problem. We've got this covered. Am I getting that right? You're exactly right, Dave. We test our endpoints daily. We make sure that we understand what residue of data is where. And when we saw that employee shift to a safe environment or consideration at that time, we felt very comfortable that the controls we had in place, again, Dell and their business partners were gonna hold true and be solid. And we test those metrics daily. I get reports back telling me, what's missing in patch management? What's missing in a backup? I'll go back to keeping BCP and cybersecurity separate. In the vault, we take a approach of recovering systems daily. And now that goes from maybe a 2% testing rate almost to 100% annually. So again, to your point, COVID was a real setback, but it wasn't, we just executed the same runbooks. We had been maturing all along. So it was very comfortable for our employees. It was very comfortable for our IT structure. We did not feel any service delays or outages because of that. And that's in the day when you have to produce that data, secure that data, every minute of every day of every year, and it's very comforting to know it's gonna happen. You don't push that button and nothing happens. It's executed as planned. Jim, did you see a huge spike in demand for your services as a result of COVID and how did you handle it? I mean, you guys got a zillion customers. How did you respond and make sure that you were taking care of everybody? We really did see a big spike, Dave. I think there were a couple of things going on. Bob points out the security posture changes very quickly. When you're sending people to work from home, more people remotely, you've expanded or kind of obliterated your parameter, you're not ready for it. And so security becomes even more important and more top of mind. So with Power Protect Cyber Recovery, we can go in and we can protect those most critical applications. So organizations are really looking at their full security posture. What can we do better to detect and protect against these threats? And that's really important. For us, we're focusing on what happens when those fail. And with that extension and people going home and then the threat actors getting even more active, the possibilities of those failures become more possible and the risks are just in front of everybody. So I think it was a combination of all of those things. Many, many customers came to us very quickly and said, tell us more about what you're doing here. How does it fit into our infrastructure? What does it protect us against? How quickly can we deploy? And so there has been a huge uptake in interest and we're fortunate in that, as you pointed out early on Dave, we invested early here, I'm five years into the practice. We've got a lot of people very mature, very sophisticated in this area. A lot of passion among our team and we could go take care of all those customers. Bob, if you had a mulligan thinking about this project, what would you do differently if you had a chance to do it over? I would, I think I would start earlier. I think that was probably the biggest thing I regret in that realizing that you don't have, you need to understand that you may not have the time you think you do. And luckily we came to our senses, we executed and I gotta say it was with common sense, comfortable products that we already understood. We didn't have to learn a whole new game plan. So, I don't worry about that. I don't worry about the sizing of the product because we did it, I feel correctly going in and it fits us as we move forward and we're growing at an increased rate that we may not expect. It's plug and play, again, I would just say, stay involved, get involved, know that what we know today about malware and these attacks are only gonna get more complicated and that's where I need to spend my time, my group become experts there. Let, why I really cherish the Dell EMC relationship is from the very beginning, they've always been very passionate on delivering products that recover and protect and now are cyber resilient. I don't have to challenge that. You pay for what you get for what you get and I just gotta say, I don't think there's much other than I would have started earlier. So, start today, don't put it off. You said earlier though, you're never done, right? You never are in this industry. So, what's your roadmap look like? Where do you wanna go from here with this capability? I definitely want to keep educating my staff, keep training them, keep working with Dell. Again, I tell you there's such forward thinking as a company, they save me that investment. So, if you're looking at part of the investment, it's gotta be, are you with a partner that's forward thinking? So, we definitely want to mature this, make sure, challenge it, keep challenging it, keep working with Dell and their products to deliver more. Again, we go to the federal and state regulatory requirements. You go to the sheltered harbor, the ASET testing for the NC way regulators, just software asset management. You can keep on going down the line. This product keeps, to say it's kind of like the iPhone. You think about how many products the iPhone has now made not relevant. I don't even own a flashlight, I don't think. This is kind of what the Dell product line brings to me is that I can trust they're going to keep me relevant so I can stay at the business table and design products that help our members today. Jim, how about from Dell's perspective, the sort of roadmap, without giving away any confidential information, where do you want to take this? I mean, we talk about air gaps, we talk about, and I've seen, I remember watching that documentary zero days and hearing them say, oh, we got through an air gap, no problem. So analytics obviously plays a role in this. Machine intelligence, machine learning, AI. Where does Dell want to take this capability? Where do you see that going? We've got some things in mind and then we're always going to listen to our customers and see where the regulations are going to and thus far we've been ahead of those with the help of people like Bob. I think where we have a huge advantage, Dave, is with PowerProtect Cyber Recovery. It's a product, so we've got people who are dedicated to this whole time. We have a maturing organization in the field to deliver it and to service it and having something as a product like that really enables us to have roadmaps and support and things that customers need to really make this effective for them. So as we look out kind of on the product and thanks for your reminder, I don't want to risk saying anything here I'm gonna get in trouble for. We kind of look at things in three paths. One is we want to increase the ability for our customers to consume the product. So they want it in different forms. They might want it in appliances, in the cloud, virtual. All of those things are things that we've developed and continue to develop. They want more capability. So they want the product to do more things. They want it to be more secure to keeping up. As you mentioned, machine learning with the analytics is a big key for us. Even more mundane things like operational information makes it easier to keep the vault secure and understand what's going on there without having to get into it all the times. Those are really valuable. And then our third point really, we can't do everything. And so we have great partners, whether they're doing delivery, offering cyber recovery as a service or providing secure capabilities like our relationship with Unisys. They have a stealth product that is a zero knowledge, zero trust product that helps us to secure some of the connections to the vault. We'll keep iterating on all of those things to be innovative in this space, working with the regulators, doing things. Bob's mentioned a couple of times, Sheltered Harbor, we've been working with them for two years to have our product endorsed to their specification, something that nobody else is even touching. So we'll continue along all those paths but really following our customers lead in addition to maybe going to some places that they haven't thought about before. It's great guys. I have to sort of share that when you talk to SecOps pros, you ask them what their biggest challenge is and they'll say lack of talent, lack of skills. And so this is a great example, Jim, you were mentioning it, you've productized this. This is a great example of a technology company translating IT labor costs into R&D and removing those so customers can spend time running their business. Bob and Jim, thanks so much for coming on theCUBE. Great story, really appreciate your time. Thank you, Dave. Thanks, Bob. All right, and thank you everybody for watching. This is Dave Vellante for theCUBE. We'll see you next time.